12.1.10 Checking the Audit Log
12.1.10 Checking the Audit Log
The audit log is collected when the audit function is used in these systems. Use the viewaudit command to refer to the audit log.
Operation Procedure
- Execute the viewaudit command on the XSCF shell.
The following example displays all audit records.
XSCF> viewaudit file,1,2012-04-26 21:37:25.626 +00:00,20120426213725.0000000000.SCF-4-0 header,20,1,audit - start,0.0.0.0,2012-04-26 21:37:25.660 +00:00 header,43,1,authenticate,0.0.0.0,2012-04-26 22:01:28.902 +00:00 authentication,failure,,unknown user,telnet 27652 0.0.197.33 header,37,1,login - telnet,0.0.0.0,2012-04-26 22:02:26.459 +00:00 subject,1,opl,normal,telnet 50466 10.18.108.4 header,78,1,command - setprivileges,0.0.0.0,2012-04-26 22:02:43.246 +00:00 subject,1,opl,normal,telnet 50466 10.18.108.4 command,setprivileges,opl,useradm platform access,granted return,0 |
- As shown in the above example, records are displayed in text format by default. One token is displayed per line, with a comma as the field delimiter character.
The token types and their fields are shown in Table 12-6 (in the display order).
Token Type | Field (Display Order) |
---|---|
File Token | Label, version, time, file name |
Header Token | Label, record byte count, version, event type, machine address, time (event recording time) |
Subject Token | Label, audit session ID, UID, mode of operation, terminal type, remote IP address, remote port |
Upriv Token | Label, success/failure |
Udpriv Token | Label, success/failure, user privilege, domain ID 1, ..., domain ID N |
Command Token | Label, command name, operand 1, ..., operand N |
Authentication Token | Label, authentication result, user name, message, terminal type, remote IP address, remote port |
Return Token | Label, return value |
Text Token | Label, text string |
Note - Some fields might not be output depending on the environment. |
- The main audit events and tokens are as follows:
- - Login telnet
header
subject
text
return - - Login SSH
Same as for Login telnet - - Login BUI
Same as for Login telnet - - Logout
Header
Subject - - Audit start
Header - - Audit stop
Header - - Shell command
Header
Subject
Command
Text
Upriv | Updpriv
Return
Note - Some tokens might not be output depending on the environment. Also, this information is subject to change without prior notice for functional improvement. |
Note - For details of the log options, audit classes, and audit events of the viewaudit(8) command, see the man pages or the Fujitsu SPARC M12 and Fujitsu M10/SPARC M10 XSCF Reference Manual. |
< Previous Page | Next Page >